Page 1 of 1

Random in Session array Memory Limit Crash

Posted: Wed Jul 22, 2009 10:29 am
by tonebari
Hi all:
I have the following in a function to call within forms:

$formid=uniqid(mt_rand(100000000, 1000000000), false);

$token=uniqid(mt_rand(100000000, 1000000000), false);

$_SESSION['token'][$formid] = $token;

$inputs='

<input type="hidden" name="formid" value = "'.$form_id.'" />

<input type="hidden" name="token" value = "'.$_SESSION['token'][$form_id].'" />';

return $inputs;
Line 3 crashes the server: out of memory. I have tried simpler random generators with the same net result. What am I doing wrong? Thank YOU!

Re: Random in Session array Memory Limit Crash

Posted: Wed Jul 22, 2009 10:40 am
by jackpf
I just tried it and it worked fine.

And I'm on a sh|tty laptop with 256mb memory.

Re: Random in Session array Memory Limit Crash

Posted: Wed Jul 22, 2009 2:33 pm
by tonebari
Yeah, I dunno. I ended up switching around the array by swapping the position the random string and the 'formid' and it worked. However, I had this both locally and remote and it did the same thing on both machines. Here's what ended up working:

function form_token_string(){
$formid=(string)uniqid(mt_rand(100000000, 1000000000), false);
$token=(string)uniqid(mt_rand(100000000, 1000000000), false);
$_SESSION[$formid]['token'] = $token;
$inputs='<input type="hidden" name="formid" value = "'.$formid.'" />
<input type="hidden" name="token" value = "'.$_SESSION[$formid]['token'].'" />';
return $inputs;
}
Thanks!

Re: Random in Session array Memory Limit Crash

Posted: Thu Jul 23, 2009 6:44 am
by jackpf
If you're running this on like...every page, then I guess the session could just get so huge, because you're creating a new key for it as well every time.

So instead of overwriting the last one, you're creating a new one. It seems kind of pointless as well tbh...why do you need two random strings?

Re: Random in Session array Memory Limit Crash

Posted: Thu Jul 23, 2009 9:58 am
by tonebari
Here's my reason:
function require_token(){ // this is called in each form processor
$valid=true;
if(!isset($_REQUEST['formid'])){
$valid=false;
} else {
$id=$_REQUEST['formid'];
if($_REQUEST['token']!=$_SESSION[$id]['token']){
$valid=false;
}
}
if(!$valid) { die('Access denied'); }
}
Since there are multiple forms on many pages, I have to be able to validate security tokens for each one. You are right: session data does get big. I have this site sessions in a db, and there is cleanup. Funny, my cleanup function had an error and after I implemented db sessions, I came back in 4 days and there were thousands of sessions. LOL

Re: Random in Session array Memory Limit Crash

Posted: Thu Jul 23, 2009 10:21 am
by jackpf
I just have a hidden input, with a random number, a cookie with the same number, and if they don't match on submit, then display an error.

It works well enough...I still don't see why two random strings are necessary.